FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-1471

This CVE name corresponds to:

Entered Topic
2014-01-28 otrs -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2014-1471
Phase Assigned(20140115)

Description

SQL injection vulnerability in the StateGetStatesByType function in Kernel/System/State.pm in Open Ticket Request System (OTRS) 3.1.x before 3.1.19, 3.2.x before 3.2.14, and 3.3.x before 3.3.4 allows remote attackers to execute arbitrary SQL commands via vectors related to a ticket search URL.

References

Source Reference
MLIST [oss-security] 20140129 Re: CVE Request: otrs: CSRF issue in customer web interface
CONFIRM https://github.com/OTRS/otrs/commit/0680603a07b8dc37c2ddca6ff14e0236babefc82
CONFIRM https://github.com/OTRS/otrs/commit/2997b36a7c84e933c4b025930cabe93efc4d261d
CONFIRM https://github.com/OTRS/otrs/commit/c4ec9205bde9c49770ddad94c1a980c006164949
CONFIRM https://www.otrs.com/release-notes-otrs-help-desk-3-3-4
CONFIRM https://www.otrs.com/security-advisory-2014-02-sql-injection-issue
DEBIAN DSA-2867
BID 65241
OSVDB 102661
SECUNIA 56644
SECUNIA 56655